The new European data protection law, the General Data Protection Regulation ( GDPR ) comes into force on the 25th of May, 2018. The new framework poses considerable pressure on online and offline businesses of all sizes because it will strengthen the rules under which the personal data of European residents can be collected, stored, and disclosed. Despite its territorial scope, the GDPR will apply to organizations that do not have a physical presence in the European Union.
To guide you through the new E.U. data protection framework, we’ve provided you with a 10-step guideline that will allow you to better understand the formal requirements of the GDPR and the new personal data security standards.
1. Scope of the GDPR
Although the GDPR is a European legislation, it may apply to businesses located in other jurisdictions as well. More specifically, the GDPR applies to natural and legal persons that collect personal data and:
- Are established in the E.U.;
- Are not established in the E.U. but cooperate with data processors that are established in the E.U.; or
- Are not established in the E.U. but collect personal data of E.U. residents or target them (e.g., offer them goods and services or monitor their behavior).
- The GDPR will not be applicable if you are a natural person who accesses personal data in the course of a purely personal or household activity (e.g., browsing social media websites).
2. Tracking personal data
The GDPR defines personal data as any information that allows you to identify a natural person. For instance, personal data may include personal names, physical addresses, email addresses, social security numbers, location data, genetic information, biometric data, health care data, and IP addresses.
The GDPR requires applying the principle of data minimization, meaning that you can collect and process only the amount of personal data that is required to provide the requested service.
In order to keep track of all of the personal data that you collect, store, access, share, and process online and offline, it is important to document such transactions for your own records. Also, in certain cases (e.g., if you employ more than 250 persons, collect personal data regularly, or target special categories of personal data) you may be obliged to maintain data processing records.
It is important to note that the GDPR imposes stricter requirements (e.g., obtaining explicit consent) for special categories of personal data, such as a person’s racial or ethnic origin, political, religious, and philosophical opinions, trade union membership, genetic data, biometric data, healthcare data, and data concerning a natural person’s sex life or sexual orientation.
3. Collaboration with third parties
Under the GDPR, all third parties that have access to personal data collected by you, such as cloud storage providers, hosting providers, and newsletter providers, are considered to be data processors. The law stipulates that the relationship between you and data processors should be governed by data processing agreements, which should reflect (1) the types of personal data you provide access to, (2) the purposes of processing, (3) the duration of processing, (4) the applicable security measures, and (5) the mutual assistance in fulfilling your obligations under the GDPR.
If the third parties are located outside the EEA, you can disclose or transfer personal data only if certain conditions are met, including, but not limited to:
- If the third party is established in the country that is “white-listed” by the E.U.;
- If you conclude a contract with the third party on the basis of pre-approved contractual clauses or binding corporate rules;
- If the data subject provides you with explicit consent to the disclosure or transfer of personal data; or
- If the transfer is explicitly necessary for conclusion or performance of a contract.
Consent for the collection and processing of personal data is one of the legal grounds for lawful data processing under the GDPR. To be valid, the consent should be prior, explicit, informed, and freely given (pre-ticked boxes are not allowed). The deviation from obtaining consent is permitted if the personal data is necessary for performing a contract with the data subject (e.g., booking an appointment, providing the requested service, or delivering a product), pursuing legitimate business interests, and in some other exceptional circumstances.
5. Data protection and storage
Under the GDPR, personal data can be retained only as long as its storage is necessary for the purpose for which the personal data was collected. Afterwards, the personal data should be deleted. Only in certain cases, when the storage of personal data is required by the applicable law (e.g., for accountancy purposes), businesses are allowed to retain personal data in order to comply with their legal obligations.
To protect personal data, appropriate organizational and technical security measures have to be taken (e.g., limited access to personal data by employees, anonymization, secured networks, and encryption) and you have to ensure that the data processors with whom you cooperate have also put equivalent security measures in place.
6. Data subjects’ rights
- The right to access personal data (e.g., getting a list of personal data you store about the data subject);
- The right to correct personal data (e.g., change of contact details);
- The right to erase personal data and object to profiling (i.e., “right to be forgotten”);
- The right to restrict the processing of personal data;
- The right to ask a data controller to provide another data controller with a list of personal data related to the data subject; and]
- The right to launch a complaint about the handling of personal data.
7. Identification and transparency
The GDPR prohibits the collection and processing of children’s personal data without obtaining a parental or guardian consent in advance. In order to comply with this requirement, consider putting systems in place to verify individuals’ ages and to obtain the requested consent. Also, provide parents or guardians with the opportunity to request the erasure of children’s personal data that has been obtained without their consent.
9. Data breaches
The GDPR puts in place strict guidelines for reporting security breaches that affect personal data. In a nutshell, you have to inform the supervisory authority within 72 hours from the moment you become aware of a breach, and then provide details about the affected personal data. Should a data breach occur in data processors’ systems, the data processors have to immediately notify you. Make sure that you have the right procedures in place to detect, report, and investigate a data breach.
10. Data Protection Officer (DPO)
You can voluntarily appoint a DPO as a person who will assist you in complying with the GDPR, as well as tracking and documenting the transactions involving personal data within your organization. The GDPR explicitly requires appointing a DPO if:
- Your business relies mainly on processing of personal data on a large scale;
- You process special categories of personal data on a large scale.
- The processing of personal data may cause a threat to rights and freedoms of data subjects; or
- You are a public body or authority.